Updated on 1/2/2013….
Any business executive will agree that the compromising of infrastructure & communications systems brings about a level of excitement that's best left for the cinema. There's an incredible amount of unrest and buzz across the industry as of late – the stark realization that devices we use daily can easily be compromised without the proper vigilance. Simply stated, Ang Cui has made a brilliant academic career out of attacking common embedded systems (routers, printers, phones), while Cisco has earned the trust of consumers for reliability. This event has caused a likewise divide, and Cisco are hard at work to close that gap as soon as possible. Eavesdropping on the Air Force One, seems a laughable circumstance, though it is a feasible one given recent developments. Although 'enlightened' to their technological shortcomings, the lack of authentication and security in existing systems has the potential to hurt Cisco big time.
Everyone loves a little flexibility in their communications, but not to the extent an intruder can commandeer them for evil, hacking, or otherwise. No matter how you'd like to describe vulnerability to the tech savvy with poor intentions – this, is not good. Cisco phones run operating system based on Unix, which has been found to contain “very exploitable bugs”. Developing a device amusingly called “the Thingp3wn3r”, a scientist at Columbia was able to “take control” of 7900 series Cisco IP Phone, which fast became the microphoned marionette of the well-intended and educated hackers.
Originally featured in Forbes, this plight of Cisco phones was colorfully exposed by Ang Cui, a fifth year grad student from the Columbia University Intrusion Detection Systems Lab and co-founder of Red Balloon Security, in front of a presumably ambivalent crowd at the Amphion Forum in San Francisco. Cui called devices such as Cisco-branded IP Phones, among other similar devices, “general-purpose computers”. Not so flattering for a creation that's purpose is quite different, and is assumed to be secure and trustworthy by government agencies and the like. On December 4, Cui put on a demonstration in which he compromised a hapless IP Phone from Cisco, leveraging a default password laid into all Cisco phones, turning the off-hook switch (an indicator as to when the microphone is active, among other duties) into a “funtenna”. In the process, Cui turned the phone into a “walkie-talkie”, able to be use the handset microphone or speaker phone to eavesdrop. The article from Forbes featured a victorious Ang Cui, smiling as he triumphantly held up the defeated Cisco Phone – on the other hand, it's safe to say that Cisco are not sharing in that joy.
“We could turn a phone into a walkie-talkie that was always on by rewriting its software with 900 bytes of code. Within 10 minutes, it could then go on to compromise every other phone on its network so that you could hear everything,” a scientist from Columbia informed IEEE Spectrum. With the largest share of the market, Cisco will need to remedy this issue, especially with implementations and phones within the White House, financial sectors, and other high-ranking offices.
Ang Cui's Video Release from December 18th Makes Hacking a Cisco Phone Look Easy:
Interestingly enough, the team at Columbia’s initial disclosure of the problem to Cisco dates back to 10/24/12, which was swiftly followed by verification by Cisco that the concept was in fact legitimate. In just a week’s time (11/2/12), Cisco reported that the problem had been resolved. This solution was deemed available on November 20th . The fact of the matter is, that any Cisco Unified IP Phone within the 7900 Series running software prior to 9.3.1-ES10 is vulnerable – a weakness dating back about 6 years.
Ang Cui’s experience with Cisco has been entertaining, to say the least – considering a timeline that been wrought with proposals that were turned down or otherwise ignored (a.k.a. dev/dontcare. In May 2009, ‘iOS Router Defense’ didn’t go anywhere, followed by an even more elegant follow up in 2011 – once again, Cisco paid it no mind. Circa May of this year, Ang's painstaking study on “IP Phone Defense” also did not shake any trees, despite the fact a Cisco representative had sat in for an elaborate demonstration prior. Surely Cisco have taken some sort of notice as of late, as this topic is not only hot, its concerning. Once again, the patch for this weakness will be available later this month, though overly concerned Cisco customers may, and have probably already called.
The next stop for Cisco phones and Columbia? The RSA Conference, which will be taking place in San Francisco in roughly seven weeks. Although vaguely similar, the tone of this event will be security rather than infiltration – as Ang Cui introduces his symbiote study, incorporating ongoing developments concerning the issue at hand. Stay tuned…